The U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and Philips have warned healthcare providers that one of the company’s radiation dose management tools is affected by potentially serious vulnerabilities.
Launched in November 2014, the Philips DoseWise Portal (DWP) enables healthcare providers to record, analyze and monitor imaging radiation doses for patients and clinicians across multiple diagnostic settings.
Versions 18.104.22.1683 and 22.214.171.12469 of DWP are affected by a couple of vulnerabilities that allow a remote attacker to gain access to the application database and the patient health information it stores.
One of the flaws, tracked as CVE-2017-9656 and classified as “critical severity,” exists due to the use of hardcoded credentials for a database account. The second vulnerability, CVE-2017-9654, is an issue related to login credentials being stored in clear text in backend system files.
“For an attacker to use or exploit these vulnerabilities to access the underlying DWP database, elevated privileges are first required in order for an attacker to access the web application backend system files that contain the hard-coded credentials,” Philips said in its advisory.
“Successful exploitation may allow a remote attacker to gain access to the database of the DoseWise Portal application which contains patient health information (PHI). Potential impact could include compromise of patient confidentiality, system integrity, and/or system availability,” the company added.
Philips said it was not aware of any attacks exploiting these vulnerabilities. The company pointed out that the product is classified as a low-safety-risk medical device.
The vendor expects to release an update and new documentation to address these issues later this month. Patches will be included in version 126.96.36.19918 and for users of version 188.8.131.523 Philips will reconfigure the DWP installation to change and encrypt passwords.
In the meantime, the company has advised users to ensure that security best practices are implemented across their network, and that port 1433 is blocked, except for cases where a separate SQL server is used.
Philips also issued security alerts recently to warn its customers about the NotPetya and WannaCry attacks. The company informed organizations that some products had been affected by the Windows vulnerability exploited by these pieces of malware.
Several other medical device manufacturers also issued warnings regarding these malware attacks.